Please use this identifier to cite or link to this item:
Scopus Web of Science® Altmetric
Type: Conference paper
Title: Revenue maximizing markets for zero-day exploits
Author: Guo, M.
Hata, H.
Babar, A.
Citation: Proceedings of the 19th International Conference on Principles and Practice of Multi-Agent Systems: PRIMA 2016, 2016 / vol.9862 LNCS, pp.247-260
Publisher: Springer International Publishing
Issue Date: 2016
Series/Report no.: Lecture Notes in Computer Science (LNCS, vol. 9862)
ISBN: 9783319448312
ISSN: 0302-9743
Conference Name: 19th International Conference on Principles and Practice of Multi-Agent Systems: PRIMA 2016 (22 Aug 2016 - 26 Aug 2016 : Phuket, Thailand)
Statement of
Mingyu Guo, B, Hideaki Hata, and Ali Babar
Abstract: Markets for zero-day exploits (software vulnerabilities unknown to the vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). Our model is more than a single-item auction. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If one defender wins, then the exploit becomes worthless to the offenders. Third, if we disclose the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if we do not disclose the details, then it is difficult for the buyers to come up with their private valuations. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders before the auction. The offenders then pay to delay the exploit being disclosed to the defenders.
Keywords: Revenue maximization, mechanism design, security economics, bug bounty
Rights: © Springer International Publishing Switzerland 2016
RMID: 0030054700
DOI: 10.1007/978-3-319-44832-9_15
Appears in Collections:Computer Science publications

Files in This Item:
File Description SizeFormat 
RA_hdl_108871.pdfRestricted Access194.35 kBAdobe PDFView/Open

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.